DJB writes:

DNSSEC reduces existing confidentiality by publishing the complete list of
"secured" DNS records. This publication is integrated into the DNSSEC
protocol; it is independent of classic "zone transfers" and cannot be
disabled by administrators. The "NSEC3" variant of DNSSEC attempts to
reduce this exposure but is almost always breakable.

(source: http://dnscurve.org/dnssec.html retrieved Tuesday, september
2nd, 9:31 am BST)

I'd like to have more information how the "NSEC3" variant of DNSSEC is
almost always breakable? I'd like to know how to interpret "almost always
breakable".

Thanks,

Roy Arends
Nominet

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: